Logstash CSV - Changing columns settings based on first character

Hi,

I've came accross this thread Changing columns based on first character , but im not totally sure if its was resolved.

I have a CSV file with plenty of entry like this :

7,1553082122,49318237,2019/03/20 07:42:02 049318237,20482,3,silex-buildfarm,silex-buildfarm_PDC-BLD-177,dm-Login,10.129.19.54/10.0.17.147,,v77,,usage,34.5s,16,1,0,32,0,0,5084,0
9,1553082122,49318237,2019/03/20 07:42:02 049318237,20482,3,silex-buildfarm,silex-buildfarm_PDC-BLD-177,dm-Login,10.129.19.54/10.0.17.147,,v77,,db,db.user,0,0,0,0,0,3,1,4,0,0,1,0
7,1553082122,49659473,2019/03/20 07:42:02 049659473,25693,1,aradojkovic,~tmp.1553080163.41356.5c921f631f52b8.16444782,user-login,10.129.19.54/10.47.4.115,SWARM,2018.1/1660025 (brokered),-s,usage,1958s,9,3,0,48,0,0,4600,0
9,1553082122,49659473,2019/03/20 07:42:02 049659473,25693,1,aradojkovic,~tmp.1553080163.41356.5c921f631f52b8.16444782,user-login,10.129.19.54/10.47.4.115,SWARM,2018.1/1660025 (brokered),-s,db,db.user,0,0,0,0,0,2,1,2,0,0,1,0

Filebeat is sending the logs towards my logstash. I want logstash to gather only the first digit of each line. Based on that, i would create if statement based on the digit received and set proper columns for each line.

My if statement looks like that.

if [value] == 7 {

csv {

separator => ","
columns =>["event_type","unix_time","high_precision_time","date","pid","command_number","user","client","function","host","program","version","argument","tracking_type","timer","user_time","system_time","io_read","io_writes","ipc_in","ipc_out","max_physical_mem","page_faults"]
   }

}

Im having a hard time to parse the first digit, i can't find a way to put the value into a variable so i can create if statement on this particular value.

Im new to ELK , im still trying to figure out what i could do.

Is there anything i miss ?

Thanks again

Charles_

    mutate { copy => { "message" => "firstChar" } }
    mutate { gsub => [ "firstChar", "^(.).*", "\1" ] }

Thanks,

Does my filter looks ok ?

filter {

mutate { copy => { "message" => "firstChar" } }
mutate { gsub => [ "firstChar", "^(.).*", "\1" ] }

if [firstChar] == 14 {

csv{

separator => ","
columns => ["event_type","unix_time","high_precision_time","date","pid","command_number","user","client","function","host","program","version","argument","tracking_type","timer","user_time","system_time","io_read","io_writes","ipc_in","ipc_out","max_physical_mem","page_faults"]
   }

}

}

I can see that a new field called firstChar as been created.

It seems like "FirstChar" is being indexed. The value inside is ok tho.

My if statement also doesn't work , all the columns are not being created for each value between the separator. Its all go into "message"

You could change firstChar to [@metadata][firstChar] to avoid that. firstChar is a single character, so "if [firstChar] == 14" will never be true.

Hi,

Thanks for the clarification. Indeed , @metadata doesn't index the actual value anymore, which is good.

Even with a single value in firstChar, its not creating index for each columns. It seems like my if statement is never true.

filter {

mutate { copy => { "message" => "[@metadata][firstChar]" } }
mutate { gsub => [ "[@metadata][firstChar]", "^(.).*", "\1" ] }

if [@metadata][firstChar] == 7 {

csv {
separator => ","
columns => ["event_type","unix_time","high_precision_time","date","pid","command_number","user","client","function","host","program","version","argument","tracking_type","timer","user_time","system_time","io_read","io_writes","ipc_in","ipc_out","max_physical_mem","page_faults"]
}

}

}

When you say replacing firstChar by [@metadata][firstChar] , do i need to replace it for every occurence in the config file ?

Regards,

It will be a string, so you need a string comparison.

if [@metadata][firstChar] == "7"

Hi Badger,

Its working perfectly with

Thanks a lot for your support, its really appreciated.

You can close this case

Thanks again.

Charles_

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.